Schneier on Speaking Out: Maybe it Helps?

*Study.* Studying can take many forms. It can be classwork, either at universities or at training conferences like SANS and Offensive Security. (See below for some good self-starter resources.) It can be reading; there are a lot of excellent books out there -- and blogs -- that teach different aspects of computer security out there. Don't limit yourself to computer science, either. You can learn a lot by studying other areas of security, and soft sciences like economics, psychology, and sociology.

*Do.* Computer security is fundamentally a practitioner's art, and that requires practice. This means using what you've learned to configure security systems, design new security systems, and -- yes -- break existing security systems. This is why many courses have strong hands-on components; you won't learn much without it.

*Show.* It doesn't matter what you know or what you can do if you can't demonstrate it to someone who might want to hire you. This doesn't just mean sounding good in an interview. It means sounding good on mailing lists and in blog comments. You can show your expertise by making podcasts and writing your own blog. You can teach seminars at your local user group meetings. You can write papers for conferences, or books.

Note particularly the boldfaced stuff on blog comments and mailing lists. Bruce is the only person I can think of who actually has a good word for this kind of mindless yapping voluntary unsolicited comment. But could he be onto something? Anecdote: this year for the first time I required of my students that they make contributions to a classroom blog. I got a lot of blowback. Cynic that I am, I suspect that some of it came from people who simply didn't want to have to mess with just one more course requirement. But several of them said they didn't want to be required to post stuff that might come back to bite them in the ankle in the job market. On this one I just called their bluff: I said okay, it will be a private blog, open only to class members.

In time the flac died away and the the contributions rolled in. By the end of the semester, my own take was that they were writing some pretty good stuff. I had also encouraged them to comment on each others' work. In fact I got almost none of that on the blog, but I do presume to perceive that the general level of classroom discussion was somewhat higher this year than in the recent past, and I dare to speculate that the blog broke down some of the near-universal student reticence.

You can see where I am going here. If I were one of my former students now looking for a job (sadly, too many of them are), I might be tempted to showcase the blog comments to a prospective employer to show (say) a spirit of patient inquisitiveness, a breadth of interest, that sort of thing. IOW, is their paranoia hurting them?

Second anecdote: I lurk on a couple of professional chat lists. Some of the commentary is idiotic, embarrassing. But there are a few professionals on board who offer spectacularly good advice to their colleagues (and do it for free). A few are names I never heard before. In a couple of cases, I've (cautiously, and with qualification) referred prospective clients their way. I have no idea whether it took; I made absolutely no attempt to tell the target what I was up to. But it wouldn't have happened had I not seen the kind of commentary that Bruce appears to envision.

1 comment:

Ebenezer Scrooge
said...

I am probably on one of the lawyer's listservs that our genial host mentions. People on the listserv are quite conscious that intelligent posts are a good way of building reputation. Maybe too conscious The listserv suffers from a paucity of naive questions that would draw intelligent responses.